Constructing cybersecurity adopts a constructivist approach to cybersecurity and problematises the state of contemporary knowledge within this field. Setting out by providing a concise overview of such knowledge, this book subsequently adopts Foucauldian positions on power and security to highlight assumptions and limitations found therein. What follows is a detailed analysis of the discourse produced by various internet security companies, demonstrating the important role that these security professionals play constituting and entrenching this knowledge by virtue of their specific epistemic authority. As a relatively new source within a broader security dispositif, these security professionals have created relationships of mutual recognition and benefit with traditional political and security professionals. The book argues that one important product of these relationships is the continued centrality of the state within issues of cybersecurity and the extension of a strategy of neoliberal governance.
The Introduction provides the broad context for the study as well as laying out the motivations, research aims and research questions. The Introduction provides an initial justification for the decision to focus on this particular aspect of the internet security industry (developed further in Chapter 2) and also offers reflections on the method used, including which companies were studied and how the corpus was compiled. Finally, the chapter concludes with a breakdown of the book’s organisation, including what each chapter is looking to contribute to the overall objective.
Chapter 1 provides an in-depth overview of cybersecurity knowledge drawn from disciplines including politics and international relations, law and computer science. The first part of this chapter is structured around the organising themes of definition, threat and response and provides an important foundation upon which subsequent theoretical and empirical work is based. This chapter identifies a broad homogeneity across this knowledge and demonstrates how this operates within a wider national security framing that reproduces the features, tropes and tactics found therein. However, the second part of this chapter goes beyond the ‘problem solving’ conventions of cybersecurity knowledge and reveals a smaller body of critical and broadly constructivist research that investigates the same object but in a manner that eschews the commonplace agenda. By highlighting and exploring this research two things are achieved: first, my own study is situated within a wider academic body of work that sets out to investigate cybersecurity by utilising different ontological, epistemological and methodological assumptions; second, by revealing this heterogeneity I project a path forward for my own theoretical and empirical work that recognises the importance of a broader inter subjective process of knowledge construction that requires engagement with alternative sources, such as the internet security industry.
Chapter 2 provides the theoretical framework for the book’s empirical analysis and clarifies a number of theoretical and conceptual tools that are central to this book’s objectives and contributions. Power and security are two such concepts, and the chapter begins by clarifying the conceptualisation of power outlined by Michel Foucault that is adopted in this study by elaborating upon one of his ideas: power/knowledge. From here the chapter hones in on the ‘third modality’ of power, that of governmentality, to demonstrate how this functions across society and the role that the security dispositif plays in allowing this form of power to function. Prior to embarking on the empirical analysis, this chapter’s final section ties together the work on power, governance and security with established work on both ‘epistemic communities’ and ‘security professionals’. I elaborate on these theorisations to link the productive functioning of power with the role particular ‘privileged’ experts play within the dispositif to give meaning to the phenomenon of security, sediment certain understandings, prioritise particular responses and foreclose alternative thinking. It is in this final section where I most explicitly make the argument for the need to conduct constructivist research into private security industry discourse.
Chapter 3 is the first of two chapters that present the empirical findings of the research into the internet security industry. In this chapter, the focus is placed upon ‘cyberspace’, characterised as the milieu within which (in)security plays out. The chapter provides a number of references to the articles, white papers, blogs and reports produced by the various different companies to reveal the themes, tropes and tactics in evidence here. The chapter divides these by the categories of vulnerability and uncertainty. The constructivist analysis that is conducted within the chapter reveals a space constituted as inherently weak and vulnerable to exploitation and attack as well as affording nefarious actors tremendous scope to conduct activities in relative secrecy, which serves to compound this vulnerability with a large degree of uncertainty. While efforts are made in this chapter to identify a dominant discourse, the chapter does also draw attention to dissident and counter-hegemonic expertise that stands at odds with it.
Chapter 4 continues in the same vein as the previous chapter but shifts the focus to the threats themselves. The chapter considers how danger and destructiveness are constituted as self-evident features of various nefarious acts executed by a diverse range of actors that present salient and credible threats in the present as well as for the future. The analysis contained within this chapter identifies a number of discursive tactics, such as the way in which ‘cyber-threats’ are synonymised with physical threats (bombs, bullets, etc.), as well as the use of military historical analogies. As with the previous chapter, an effort is made not only to capture the sentiment of the dominant position regarding cyber-threats but also those divergent moments and dissident voices that co exist alongside them.
Chapter 5 draws together the empirical and theoretical work to reflect on the importance of the internet security industry in the construction of cybersecurity knowledge and the role relationships between private entities and professionals of politics play in the sedimentation of cybersecurity as analogous with national security. I begin by highlighting the broad homogeneity that exists between the expert discourse that I have studied and the ‘dominant threat frame’ identified by others such as Dunn Cavelty (2008) before theorising as to why this is and what impact it has on a broader process of knowledge construction. To achieve this I pay particular attention to the positon and raison d’être of the industry I have studied as well as the formation of communities of mutual recognition that have provided mutual benefit for both the industry and the state. I conclude that the arrival of the ‘technological age’ poses challenges to the traditional Weberian model of security governance. Subsequently, there has been an expansion and reorganisation of the security dispositif to more fully include private expertise as a means of overcoming a sovereignty gap and allowing for the continuation of a strategy of neoliberal governance.